diff options
Diffstat (limited to 'gnu/packages/certs.scm')
| -rw-r--r-- | gnu/packages/certs.scm | 127 |
1 files changed, 106 insertions, 21 deletions
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm index b72d927c0d..e15a9660df 100644 --- a/gnu/packages/certs.scm +++ b/gnu/packages/certs.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2016, 2017 Ludovic Courtès <[email protected]> ;;; Copyright © 2017 Leo Famulari <[email protected]> ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <[email protected]> +;;; Copyright © 2021 Raghav Gururajan <[email protected]> ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,13 +25,63 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix git-download) + #:use-module (guix build-system copy) #:use-module (guix build-system gnu) #:use-module (guix build-system trivial) #:use-module (gnu packages) + #:use-module (gnu packages curl) #:use-module (gnu packages python) #:use-module (gnu packages perl) #:use-module (gnu packages tls)) +(define-public desec-certbot-hook + (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6") + (revision "0")) + (package + (name "desec-certbot-hook") + (version + (git-version "0" revision commit)) + (source + (origin + (method git-fetch) + (uri + (git-reference + (url "https://github.com/desec-io/desec-certbot-hook") + (commit commit))) + (file-name (git-file-name name version)) + (sha256 + (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2")))) + (build-system copy-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-script + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "hook.sh" + ;; The hook-script look for '.dedynauth' file in $PWD. + ;; But users cannot create or edit files in store. + ;; So we patch the hook-script to look for '.dedynauth' file, + ;; in /etc/desec. + (("\\$\\(pwd\\)") + "/etc/desec") + ;; Make absolute reference to curl program. + (("curl") + (string-append (assoc-ref inputs "curl") + "/bin/curl")))))) + #:install-plan + '(("." "etc/desec" #:include ("hook.sh"))))) + (inputs + `(("curl" ,curl))) + (synopsis "Certbot DNS challenge automatization for deSEC") + (description "The deSEC can be used to obtain certificates with certbot +DNS ownership verification. With the help of this hook script, you can obtain +your Let's Encrypt certificate using certbot with authorization provided by the +DNS challenge mechanism, that is, you will not need a running web server or any +port forwarding to your local machine.") + (home-page "https://desec.io") + (license license:expat)))) + (define certdata2pem (package (name "certdata2pem") @@ -147,7 +198,7 @@ taken from the NSS package and thus ultimately from the Mozilla project.") (define-public le-certs (package (name "le-certs") - (version "0") + (version "1") (source #f) (build-system trivial-build-system) (arguments @@ -155,9 +206,12 @@ taken from the NSS package and thus ultimately from the Mozilla project.") #:builder (begin (use-modules (guix build utils)) - (let ((root (assoc-ref %build-inputs "isrgrootx1.pem")) - (intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem")) - (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem")) + (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem")) + (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem")) + (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem")) + (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem")) + (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem")) + (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem")) (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs")) (openssl (assoc-ref %build-inputs "openssl")) (perl (assoc-ref %build-inputs "perl"))) @@ -166,7 +220,9 @@ taken from the NSS package and thus ultimately from the Mozilla project.") (lambda (cert) (copy-file cert (string-append out "/" (strip-store-file-name cert)))) - (list root intermediate backup)) + (list root-rsa root-ecdsa + intermediate-rsa intermediate-ecdsa + backup-rsa backup-ecdsa)) ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and ;; similar.) @@ -186,26 +242,55 @@ taken from the NSS package and thus ultimately from the Mozilla project.") (sha256 (base32 "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92")))) - ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate - ;; certificate. - ("letsencryptauthorityx3.pem" - ,(origin - (method url-fetch) - (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem") - (sha256 - (base32 - "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2")))) - ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate - ;; certificate. This will be used for disaster recovery and will only be - ;; used should Let's Encrypt lose the ability to issue with "Let’s - ;; Encrypt Authority X3". - ("letsencryptauthorityx4.pem" + ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2" + ; Let's Encrypt describes it as "Active, limited availability" + ("isrgrootx2.pem" ,(origin (method url-fetch) - (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem") + (uri "https://letsencrypt.org/certs/isrg-root-x2.pem") (sha256 (base32 - "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m")))))) + "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1")))) + ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate + ;; RSA certificate. + ("letsencryptauthorityr3.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem") + (sha256 + (base32 + "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp")))) + ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate + ;; ECDSA certificate. + ("letsencryptauthoritye1.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem") + (sha256 + (base32 + "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0")))) + ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate + ;; RSA certificate. This will be used for disaster recovery and will only be + ;; used should Let's Encrypt lose the ability to issue with "Let’s + ;; Encrypt Authority R3". + ("letsencryptauthorityr4.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem") + (sha256 + (base32 + "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8")))) + ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate + ;; ECDSA certificate. This will be used for disaster recovery and will + ;; only be used should Let's Encrypt lose the ability to issue with "Let’s + ;; Encrypt Authority E1". + ("letsencryptauthoritye2.pem" + ,(origin + (method url-fetch) + (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem") + (sha256 + (base32 + "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml")))))) (home-page "https://letsencrypt.org/certificates/") (synopsis "Let's Encrypt root and intermediate certificates") (description "This package provides a certificate store containing only the |